Читать книгу Cybersecurity and Third-Party Risk - Gregory C. Rasner - Страница 18

Third‐Party Risk Management (TPRM) as a discipline is not very old. In the financial sector, it was not mandated by the Office of the Comptroller of the Currency (OCC) until 2013, when it regulated that all banks must manage the risk of all their third parties. OCC 2013‐29 defined “third party” as any entity a company does business with, including vendors, suppliers, partners, affiliates, brokers, manufacturers, and agents. Third parties can include upstream (i.e., vendors) and downstream (i.e., resellers) and non‐contractual parties. Other regulated sectors have seen similar requirements, often indirectly via privacy regulations. For example, General Data Protection Regulation (GDPR) or the California Privacy Rights Act (CPRA) require many companies subject to these regulations to perform due diligence on vendors who have access to their customer data. This may not lead to a full‐blown risk management division or group, but someone will be required to perform some oversight in an organized process, lest they get subjected to the extreme financial penalties both regulations require.

Other risk domains exist in TPRM: strategic, reputation, operational, transaction, and compliance domains. Why is the focus in this book on the cybersecurity domain exclusively? That is where the money is. While there are financial and reputational risks for the other domains, none of them provide the level of risk to a firm such as the risk of information security. As described previously, there are number of breaches that can be directly attributed to a cybersecurity breach at a vendor. It is not that these other domains aren't important, but none of them have the impact that a cybersecurity risk poses to a firm, financially or reputationally. Perform an internet search on the other domains, and you will struggle to find results. A similar search on cybersecurity breaches produces more results than one can list in a single page. Like any organization with more than one domain, if one of those domains presents a higher risk for practitioners, and evidence shows that Information Security does, then that domain needs more research, resources, and results.

While TRPM organizations struggle to keep up with the level of breaches and incidents with vendors, evidence shows most cybersecurity organizations are not taking a lead in this domain, and that TPRM groups do not have the expertise to address this gap. According to the Ponemon Institute “Data Risk in the Third‐Party Ecosystem” study (2018), only 40 percent perform any cybersecurity due diligence. Sixty percent perform none or only ad‐hoc cybersecurity reviews. The evidence indicates that a large percent of the 40 percent (i.e., those that perform some cybersecurity due diligence) do not do enough (as evidenced by the level of breaches/incidents). TPRM organizations must begin focusing more on the Information Security domain, and either directly bring cybersecurity experts into their organizations or partner with cybersecurity teams to address the gap. Doing so will also require that a cybersecurity team is able to understand the problem with third parties and address the risk.

While the fines and publicity for failure to follow TPRM guidelines are not as big, instances of regulators acting can be found:

 In 2020, the OCC assessed an $85 million civil money penalty against USAA for failure to implement and maintain an effective risk management compliance.

 In 2020, the OCC assessed a $60 million civil money penalty against Morgan Stanley for not properly decommissioning some Wealth Management business data centers.

 In 2020, the OCC assessed a $400 million civil money penalty against Citibank for failures in enterprise risk management.

 In 2020, the Federal Reserve announced an enforcement action against Citigroup Inc., requiring that the firm correct several longstanding deficiencies.

 In 2020, the OCC assessed an $80 million civil money penalty against Capital One for not establishing an effective risk assessment process, which led to the breach in its public cloud.

 In 2013, the U.S. Security and Exchange Commission (SEC) lowered the burden of proof for proxy disclosure enhancements on risk management inadequacy from fraud to simply negligence. This means that boards of directors and senior management of publicly traded companies can no longer claim they had no knowledge about a risk.

 In 2019, the SEC and Commodities Futures Trading Commission (CFTC) charged Options Clearing Corp. with failing to establish and maintain adequate risk management policies, forcing the organization to pay a $20 million penalty.